windows: add WinVerifyTrustEx function
This commit adds the function and the required structs for it. This is
the same as the WinVerifyTrust function but has the more correct
signature.
https://docs.microsoft.com/en-us/windows/win32/api/wintrust/nf-wintrust-winverifytrustex
Change-Id: I43ae20302ba85a6ae1fc32ad4c34b59bee0a6a35
Reviewed-on: https://go-review.googlesource.com/c/sys/+/285715
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Jason A. Donenfeld
3 years ago
21 | 21 | |
22 | 22 | const ( |
23 | 23 | InvalidHandle = ^Handle(0) |
24 | InvalidHWND = ^HWND(0) | |
24 | 25 | |
25 | 26 | // Flags for DefineDosDevice. |
26 | 27 | DDD_EXACT_MATCH_ON_REMOVE = 0x00000004 |
283 | 284 | //sys CertFindExtension(objId *byte, countExtensions uint32, extensions *CertExtension) (ret *CertExtension) = crypt32.CertFindExtension |
284 | 285 | //sys CryptQueryObject(objectType uint32, object unsafe.Pointer, expectedContentTypeFlags uint32, expectedFormatTypeFlags uint32, flags uint32, msgAndCertEncodingType *uint32, contentType *uint32, formatType *uint32, certStore *Handle, msg *Handle, context *unsafe.Pointer) (err error) = crypt32.CryptQueryObject |
285 | 286 | //sys CryptDecodeObject(encodingType uint32, structType *byte, encodedBytes *byte, lenEncodedBytes uint32, flags uint32, decoded unsafe.Pointer, decodedLen *uint32) (err error) = crypt32.CryptDecodeObject |
287 | //sys WinVerifyTrustEx(hwnd HWND, actionId *GUID, data *WinTrustData) (ret error) = wintrust.WinVerifyTrustEx | |
286 | 288 | //sys RegOpenKeyEx(key Handle, subkey *uint16, options uint32, desiredAccess uint32, result *Handle) (regerrno error) = advapi32.RegOpenKeyExW |
287 | 289 | //sys RegCloseKey(key Handle) (regerrno error) = advapi32.RegCloseKey |
288 | 290 | //sys RegQueryInfoKey(key Handle, class *uint16, classLen *uint32, reserved *uint32, subkeysLen *uint32, maxSubkeyLen *uint32, maxClassLen *uint32, valuesLen *uint32, maxValueNameLen *uint32, maxValueLen *uint32, saLen *uint32, lastWriteTime *Filetime) (regerrno error) = advapi32.RegQueryInfoKeyW |
519 | 519 | REALTIME_PRIORITY_CLASS = 0x00000100 |
520 | 520 | ) |
521 | 521 | |
522 | /* wintrust.h constants for WinVerifyTrustEx */ | |
523 | const ( | |
524 | WTD_UI_ALL = 1 | |
525 | WTD_UI_NONE = 2 | |
526 | WTD_UI_NOBAD = 3 | |
527 | WTD_UI_NOGOOD = 4 | |
528 | ||
529 | WTD_REVOKE_NONE = 0 | |
530 | WTD_REVOKE_WHOLECHAIN = 1 | |
531 | ||
532 | WTD_CHOICE_FILE = 1 | |
533 | WTD_CHOICE_CATALOG = 2 | |
534 | WTD_CHOICE_BLOB = 3 | |
535 | WTD_CHOICE_SIGNER = 4 | |
536 | WTD_CHOICE_CERT = 5 | |
537 | ||
538 | WTD_STATEACTION_IGNORE = 0x00000000 | |
539 | WTD_STATEACTION_VERIFY = 0x00000010 | |
540 | WTD_STATEACTION_CLOSE = 0x00000002 | |
541 | WTD_STATEACTION_AUTO_CACHE = 0x00000003 | |
542 | WTD_STATEACTION_AUTO_CACHE_FLUSH = 0x00000004 | |
543 | ||
544 | WTD_USE_IE4_TRUST_FLAG = 0x1 | |
545 | WTD_NO_IE4_CHAIN_FLAG = 0x2 | |
546 | WTD_NO_POLICY_USAGE_FLAG = 0x4 | |
547 | WTD_REVOCATION_CHECK_NONE = 0x10 | |
548 | WTD_REVOCATION_CHECK_END_CERT = 0x20 | |
549 | WTD_REVOCATION_CHECK_CHAIN = 0x40 | |
550 | WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT = 0x80 | |
551 | WTD_SAFER_FLAG = 0x100 | |
552 | WTD_HASH_ONLY_FLAG = 0x200 | |
553 | WTD_USE_DEFAULT_OSVER_CHECK = 0x400 | |
554 | WTD_LIFETIME_SIGNING_FLAG = 0x800 | |
555 | WTD_CACHE_ONLY_URL_RETRIEVAL = 0x1000 | |
556 | WTD_DISABLE_MD2_MD4 = 0x2000 | |
557 | WTD_MOTW = 0x4000 | |
558 | ||
559 | WTD_UICONTEXT_EXECUTE = 0 | |
560 | WTD_UICONTEXT_INSTALL = 1 | |
561 | ) | |
562 | ||
522 | 563 | var ( |
523 | 564 | OID_PKIX_KP_SERVER_AUTH = []byte("1.3.6.1.5.5.7.3.1\x00") |
524 | 565 | OID_SERVER_GATED_CRYPTO = []byte("1.3.6.1.4.1.311.10.3.3\x00") |
525 | 566 | OID_SGC_NETSCAPE = []byte("2.16.840.1.113730.4.1\x00") |
567 | ||
568 | WINTRUST_ACTION_GENERIC_VERIFY_V2 = GUID{ | |
569 | Data1: 0xaac56b, | |
570 | Data2: 0xcd44, | |
571 | Data3: 0x11d0, | |
572 | Data4: [8]byte{0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee}, | |
573 | } | |
526 | 574 | ) |
527 | 575 | |
528 | 576 | // Pointer represents a pointer to an arbitrary Windows type. |
1282 | 1330 | // Not implemented |
1283 | 1331 | } |
1284 | 1332 | |
1333 | type CertStrongSignPara struct { | |
1334 | Size uint32 | |
1335 | InfoChoice uint32 | |
1336 | InfoOrSerializedInfoOrOID unsafe.Pointer | |
1337 | } | |
1338 | ||
1339 | type WinTrustData struct { | |
1340 | Size uint32 | |
1341 | PolicyCallbackData uintptr | |
1342 | SIPClientData uintptr | |
1343 | UIChoice uint32 | |
1344 | RevocationChecks uint32 | |
1345 | UnionChoice uint32 | |
1346 | FileOrCatalogOrBlobOrSgnrOrCert unsafe.Pointer | |
1347 | StateAction uint32 | |
1348 | StateData Handle | |
1349 | URLReference *uint16 | |
1350 | ProvFlags uint32 | |
1351 | UIContext uint32 | |
1352 | SignatureSettings *WinTrustSignatureSettings | |
1353 | } | |
1354 | ||
1355 | type WinTrustFileInfo struct { | |
1356 | Size uint32 | |
1357 | FilePath *uint16 | |
1358 | File Handle | |
1359 | KnownSubject *GUID | |
1360 | } | |
1361 | ||
1362 | type WinTrustSignatureSettings struct { | |
1363 | Size uint32 | |
1364 | Index uint32 | |
1365 | Flags uint32 | |
1366 | SecondarySigs uint32 | |
1367 | VerifiedSigIndex uint32 | |
1368 | CryptoPolicy *CertStrongSignPara | |
1369 | } | |
1370 | ||
1285 | 1371 | const ( |
1286 | 1372 | // do not reorder |
1287 | 1373 | HKEY_CLASSES_ROOT = 0x80000000 + iota |
50 | 50 | modshell32 = NewLazySystemDLL("shell32.dll") |
51 | 51 | moduser32 = NewLazySystemDLL("user32.dll") |
52 | 52 | moduserenv = NewLazySystemDLL("userenv.dll") |
53 | modwintrust = NewLazySystemDLL("wintrust.dll") | |
53 | 54 | modws2_32 = NewLazySystemDLL("ws2_32.dll") |
54 | 55 | modwtsapi32 = NewLazySystemDLL("wtsapi32.dll") |
55 | 56 | |
353 | 354 | procCreateEnvironmentBlock = moduserenv.NewProc("CreateEnvironmentBlock") |
354 | 355 | procDestroyEnvironmentBlock = moduserenv.NewProc("DestroyEnvironmentBlock") |
355 | 356 | procGetUserProfileDirectoryW = moduserenv.NewProc("GetUserProfileDirectoryW") |
357 | procWinVerifyTrustEx = modwintrust.NewProc("WinVerifyTrustEx") | |
356 | 358 | procFreeAddrInfoW = modws2_32.NewProc("FreeAddrInfoW") |
357 | 359 | procGetAddrInfoW = modws2_32.NewProc("GetAddrInfoW") |
358 | 360 | procWSACleanup = modws2_32.NewProc("WSACleanup") |
3022 | 3024 | return |
3023 | 3025 | } |
3024 | 3026 | |
3027 | func WinVerifyTrustEx(hwnd HWND, actionId *GUID, data *WinTrustData) (ret error) { | |
3028 | r0, _, _ := syscall.Syscall(procWinVerifyTrustEx.Addr(), 3, uintptr(hwnd), uintptr(unsafe.Pointer(actionId)), uintptr(unsafe.Pointer(data))) | |
3029 | if r0 != 0 { | |
3030 | ret = syscall.Errno(r0) | |
3031 | } | |
3032 | return | |
3033 | } | |
3034 | ||
3025 | 3035 | func FreeAddrInfoW(addrinfo *AddrinfoW) { |
3026 | 3036 | syscall.Syscall(procFreeAddrInfoW.Addr(), 1, uintptr(unsafe.Pointer(addrinfo)), 0, 0) |
3027 | 3037 | return |